date: '2022-04-04' sections: security_fixes: - 'MEDIUM: A path traversal vulnerability was identified in {% data variables.product.prodname_ghe_server %} Management Console that allowed the bypass of CSRF protections. This vulnerability affected all versions of {% data variables.product.prodname_ghe_server %} prior to 3.5 and was fixed in versions 3.1.19, 3.2.11, 3.3.6, 3.4.1. This vulnerability was reported via the {% data variables.product.prodname_dotcom %} Bug Bounty program and has been assigned CVE-2022-23732.' - 'MEDIUM: An integer overflow vulnerability was identified in the 1.x branch and the 2.x branch of `yajil` which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. This vulnerability was reported internally and has been assigned CVE-2022-24795. ' - Support bundles could include sensitive files if {% data variables.product.prodname_actions %} was enabled. - Packages have been updated to the latest security versions. bugs: - Minio processes would have high CPU usage if an old configuration option was present after upgrading {% data variables.product.prodname_ghe_server %}. - The options to enable `TLS 1.0` and `TLS 1.1` in the Privacy settings of the Management Console were shown, although removal of those protocol versions occurred in an earlier release. - In a HA environment, configuring MSSQL replication could require additional manual steps after enabling {% data variables.product.prodname_actions %} for the first time. - A subset of internal configuration files are more reliably updated after a hotpatch. - The `ghe-run-migrations` script would sometimes fail to generate temporary certificate names correctly. - In a cluster environment, Git LFS operations could fail with failed internal API calls that crossed multiple web nodes. - Pre-receive hooks that used `gpg --import` timed out due to insufficient `syscall` privileges. - In some cluster topologies, webhook delivery information was not available. - In HA configurations, tearing down a replica would fail if {% data variables.product.prodname_actions %} had previously been enabled. - Elasticsearch health checks would not allow a yellow cluster status when running migrations. - Organizations created as a result of a user transforming their user account into an organization were not added to the global enterprise account. - When using `ghe-migrator` or exporting from {% data variables.product.prodname_dotcom_the_website %}, a long-running export would fail when data was deleted mid-export. - The {% data variables.product.prodname_actions %} deployment graph would display an error when rendering a pending job. - Links to inaccessible pages were removed. - Navigating away from a comparison of two commits in the web UI would have the diff persist in other pages. - Adding a team as a reviewer to a pull request would sometimes show the incorrect number of members on that team. - The [Remove team membership for a user](/rest/reference/teams#remove-team-membership-for-a-user) API endpoint would respond with an error when attempting to remove a member managed externally by a SCIM group. - A large number of dormant users could cause a {% data variables.product.prodname_github_connect %} configuration to fail. - The "Feature & beta enrollments" page in the Site admin web UI was incorrectly available. - The "Site admin mode" link in the site footer did not change state when clicked. - 'The `spokesctl cache-policy rm` command no longer fails with the message `error: failed to delete cache policy`.' changes: - Memcached connection limits were increased to better accommodate large cluster topologies. - The Dependency Graph API previously ran with a statically defined port. - The default shard counts for cluster-related Elasticsearch shard settings have been updated. - The “Triage” and “Maintain” team roles are preserved during repository migrations. - Performance has been improved for web requests made by enterprise owners. known_issues: - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. - Custom firewall rules are removed during the upgrade process. - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters. - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results. - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues. - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.